Missing CORS Policy in Apollo GraphQL Server
Description
The Apollo GraphQL server lacks a CORS policy. By default, the server uses the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
Examples
Insecure Code
js
const { ApolloServer } = require('apollo-server-express');
const server = new ApolloServer({ typeDefs, resolvers });Secure Code
js
const { ApolloServer } = require('apollo-server-express');
const server = new ApolloServer({ typeDefs, resolvers, cors: { origin: 'https://example.com' } });Remediation
Configure CORS options for Apollo Server by adding the cors property to the ApolloServer constructor, e.g., new ApolloServer({ cors: { origin: 'https://example.com' } })
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0284 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-942 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | cors, apollo-server |
| OWASP | N/A |